Container Event Monitoring Using Kernel Space Communication

1. A method comprising: opening, by an agent deployed in a cloud environment, a communication channel between the agent and a kernel of an operating system of a node within the cloud environment; determining, by the agent and via the communication channel, an event associated with a namespace of the operating system; determining, by the agent and based on the event, a status of a container associated with the node; and providing, by the agent to a data platform, a message indicative of the status of the container, wherein determining the event comprises: subscribing, by the agent with the kernel, to a class of events associated with creation or deletion of the namespace; and receiving, by the agent, an indication of the event.

2. The method of claim 1, wherein the opening the communication channel comprises: opening a socket between the agent and the kernel, wherein the agent comprises a user space process, and wherein the kernel comprises a kernel process.

3. The method of claim 1, wherein the determining the status of the container comprises: requesting, by the agent and from a container runtime operating within the node, data indicative of one or more containers operating within the node at a particular time; and determining, by the agent and based on data indicative of one or more containers operating within the node at a time prior to the particular time, creation of the container, wherein the container is among the one or more containers operating within the node at the particular time.

4. The method of claim 1, wherein the determining the status of the container comprises: requesting, by the agent and from a container runtime operating within the node, data indicative of one or more containers operating within the node at a particular time; and determining, by the agent and based on data indicative of one or more containers operating within the node at a time prior to the particular time, deletion of the container, wherein the container is not among the one or more containers operating within the node at the particular time.

5. The method of claim 1, further comprising: determining, based at least in part on the determining the status of the container associated with the node, one or more behavioral relationships between logical entities within the cloud environment, wherein the logical entities comprise one or more of: a workload, an application, a process, a machine, a set of containers, a file, a network address, a domain name, or a user profile; and determining, based on the one or more behavioral relationships, a polygraph.

6. The method of claim 1, wherein the determining the status of a container associated with the node occurs prior to receiving an indication of the status of the container from a container runtime operating within the node.

7. A computer program product embodied in a non-transitory computer-readable medium and comprising computer instructions for: opening, by an agent deployed in a cloud environment, a communication channel between the agent and a kernel of an operating system of a node within the cloud environment; determining, by the agent and via the communication channel, an event associated with a namespace of the operating system; determining, by the agent and based on the event, a status of a container associated with the node; and providing, by the agent to a data platform, a message indicative of the status of the container, wherein determining the event comprises: subscribing, by the agent with the kernel, to a class of events associated with creation or deletion of the namespace; and receiving, by the agent, an indication of the event.

8. The computer program product of claim 7, wherein the opening the communication channel comprises: opening a socket between the agent and the kernel, wherein the agent comprises a user space process, and wherein the kernel comprises a kernel process.

9. The computer program product of claim 7, wherein the determining the status of the container comprises: requesting, by the agent and from a container runtime operating within the node, data indicative of one or more containers operating within the node at a particular time; and determining, by the agent and based on data indicative of one or more containers operating within the node at a time prior to the particular time, creation of the container, wherein the container is among the one or more containers operating within the node at the particular time.

10. The computer program product of claim 7, wherein the determining the status of the container comprises: requesting, by the agent and from a container runtime operating within the node, data indicative of one or more containers operating within the node at a particular time; and determining, by the agent and based on data indicative of one or more containers operating within the node at a time prior to the particular time, deletion of the container, wherein the container is not among the one or more containers operating within the node at the particular time.

11. The computer program product of claim 7, wherein the computer instructions further perform: determining, based at least in part on the determining the status of the container associated with the node, one or more behavioral relationships between logical entities within the cloud environment, wherein the logical entities comprise one or more of: a workload, an application, a process, a machine, a set of containers, a file, a network address, a domain name, or a user profile; and determining, based on the one or more behavioral relationships, a polygraph.

12. The computer program product of claim 7, wherein the determining the status of a container associated with the node occurs prior to receiving an indication of the status of the container from a container runtime operating within the node.

13. A system for monitoring a cloud environment, the system comprising: a memory storing computer-executable instructions; and a processor that executes the computer-executable instructions to: open a communication channel between an agent and a kernel of an operating system of a node within the cloud environment; determine, via the communication channel, an event associated with a namespace of the operating system; determine, based on the event, a status of a container associated with the node; and provide, to a data platform, a message indicative of the status of the container, wherein determining the event further comprises computer-executable instructions to: subscribe, by the agent with the kernel, to a class of events associated with creation or deletion of the namespace; and receive, by the agent, an indication of the event.

14. The system of claim 13, wherein the computer-executable instructions to open the communication channel between the agent and the kernel of the operating system of the node within the cloud environment further comprise computer-executable instructions to: open a socket between the agent and the kernel, wherein the agent comprises a user space process, and wherein the kernel comprises a kernel process.

15. The system of claim 13, wherein the computer-executable instructions to determine, based on the event, the status of the container associated with the node further comprise computer-executable instructions to: request, by the agent and from a container runtime operating within the node, data indicative of one or more containers operating within the node at a particular time; and determine, by the agent and based on data indicative of one or more containers operating within the node at a time prior to the particular time, creation of the container, wherein the container is among the one or more containers operating within the node at the particular time.

16. The system of claim 13, wherein the computer-executable instructions further comprise computer-executable instructions to: determine, based at least in part on the determining the status of the container associated with the node, one or more behavioral relationships between logical entities within the cloud environment, wherein the logical entities comprise one or more of: a workload, an application, a process, a machine, a set of containers, a file, a network address, a domain name, or a user profile; and determine, based on the one or more behavioral relationships, a polygraph.

17. The system of claim 13, wherein the computer-executable instructions to determine the status of a container associated with the node are executed prior to the computer executable instructions to receive an indication of the status of the container from a container runtime operating within the node.